๐ Home Assistant via MCP protocol
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: mcp-hass Version: 1.0.1 The skill is designed to control Home Assistant devices using the `mcporter` tool. All instructions in `SKILL.md` are consistent with this stated purpose, detailing setup, usage, and configuration. It requires `HASS_ACCESS_TOKEN` and `HASS_BASE_URL` environment variables, which are used legitimately for authentication and connectivity to Home Assistant, not for exfiltration. There is no evidence of malicious execution, persistence, data theft, or prompt injection attempts against the agent beyond the skill's stated functionality.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, the agent can turn devices on or off or change settings through Home Assistant within the authority of the configured token.
The skill exposes commands that change Home Assistant device state. This is the stated purpose, but device-control actions can have real-world effects.
mcporter call home-assistant.HassTurnOn(name: "Bedroom Light") mcporter call home-assistant.HassTurnOff(area: "Bedroom", domain: ["light"]) mcporter call home-assistant.HassFanSetSpeed(name: "Fan", area: "Bedroom", percentage: 80)
Only install if you want agent-assisted smart-home control. Review sensitive device actions before execution and restrict the Home Assistant user/token where possible.
The configured token may allow querying and controlling Home Assistant resources available to that account.
The skill requires a Home Assistant access token and uses it as the primary credential for the integration.
"requires": { "anyBins": ["mcporter", "npx"], "env": ["HASS_ACCESS_TOKEN", "HASS_BASE_URL"] },
"primaryEnv": "HASS_ACCESS_TOKEN"Use a dedicated Home Assistant account/token with the least privilege available, keep the token private, and revoke it if the skill is no longer needed.
Behavior depends on the external `mcporter` package available at install or runtime.
The skill installs and relies on an external Node package without a pinned version in the provided artifacts.
"install": [ { "id": "node", "kind": "node", "package": "mcporter", "bins": ["mcporter"] } ]Verify the `mcporter` package/source before installing and prefer a pinned, trusted version if your environment supports it.
Device names, areas, status, and other smart-home context may be visible to the agent and potentially retained in chat logs depending on the platform.
The skill can retrieve Home Assistant live context, which may place household/device state information into the agent conversation context.
# Get states mcporter call home-assistant.GetLiveContext
Avoid querying sensitive home state unnecessarily and be mindful of what smart-home information you expose in conversations.